2025 Universal Registration Document

The Group has access to data relating to its products as well as to consumers’ current and future needs in different regions of the world. The volume of data collected and processed by L'Oréal or by its partners is increasing considerably with the growth in digital activities, particularly related to personalised services for consumers. These data may be altered, lost, copied or transferred unlawfully, or may be used fraudulently. Not only could this be detrimental to consumers, but it could also hinder the development of the Group's businesses or its Research & Innovation, Digital, Marketing and Finance activities.

Regulations are being tightened around the world in terms of data protection (GDPR in Europe, CCPA in California, LGPD in Brazil, etc.), cybersecurity (NIS2 and CRA in Europe) and the use of artificial intelligence. As the use of artificial intelligence ramps up, L'Oréal must constantly ensure that its data management policy complies with all laws seeking to improve data protection, including in terms of confidentiality, controlling and limiting data transfer flows, and increasing traceability and transparency obligations.

Any breach of data integrity or confidentiality, particularly regarding personal data processed by L'Oréal or its partners, regardless of the reason (whether exogenous or endogenous such as intrusions, malicious acts, etc.), could affect the privacy or safety of its users. This could have a significant impact on the Group’s reputation and consumer confidence, and therefore on its business and financial position.

The Group has established a system of governance to structure its data and ensure that it is used in an optimum manner. A dedicated department is responsible for leading and coordinating this approach, working closely with Operational and Functional Departments (notably Transformation and Finance).

The Group constantly and progressively rolls out policies, training and data management tools as well as the associated organisational and technical measures. The Global IT Department has introduced strict rules about data security (back-up, protection and restrictions on access to confidential data). See also the “Information systems and cybersecurity” risk. Enhanced security measures are deployed to guarantee the safe use of artificial intelligence and to preserve the integrity and confidentiality of this data.

L'Oréal has established a series of Ethical Principles for processing data, particularly personal data. This ethical framework, designed to comply with legal and regulatory requirements, has been shared with all employees and features in mandatory training courses, to raise awareness of the Group's commitments.

L'Oréal created a Global Data Privacy Office in 2018 to provide legal expertise and manage the Group's compliance programme. The Group's Data Protection Officer (DPO) is supported by a central team and a global network of 50 data protection correspondents covering the whole of Europe and the main countries in which the Group operates.

Governance is based on a Global Strategic Committee, a Steering Committee for each region and a network of data protection correspondents in the business lines and Regions. This governance structure monitors the Group's compliance with different laws, ensures the engagement of all stakeholders and makes sure the Group standards and regulations are duly adopted by suppliers and within the business lines.

L'Oréal's commitments in terms of personal data and the risk management systems are detailed in section 4.8.